This invention relates to computer security and a method to optimize password resetting.
Passwords and other type of authentication data are widely used for authentication and access control in many systems. One problem of using passwords for authentication and access control is that people often forget passwords. When a user forgets the password, it needs to be reset so that the user can access the system again. For security reasons, there must be a procedure to authenticate the person who requests password resetting prior to password being reset.
Authentication processes of various security levels have been used in a variety of systems to reset users' passwords. For example, some systems use a “recovery phrase” selected by the user at the account setup to help authenticate the user when the password needs to be reset. The problem with this method is that, if the user can forget the password, he also may forget the recovery phrase which is used less often.
Some systems use a “fact” that the user is unlikely to forget to authenticate the user. For example, Ellen R. O'Connell (U.S. Pat. No. 5,991,882) discloses a method that uses a question and an answer registered at the account setup to authenticate the user when the password needs to be reset. The question and the answer are usually related to a fact that the user is unlikely to forget, such as the user's birth place, mother's maiden name, favorite color, the name of their first pet, etc. Another such example is the key recovery feature of a public/private-key-based secure transmission system disclosed in U.S. Pat. No. 6,760,752. The system hosts every user's public key in a central key server and stores the corresponding private key on the user's computer encrypted using a “Signature Phrase.” When the public/private key pair is generated, the user may select a “Recover Question” and provide the corresponding “Recovery Answer.” The “Recovery Answer” is then used to encrypt a copy of the private key to be stored on the central key server along with a modified hash of the “Recovery Answer.” When a user forgets the “Signature Phrase” or loses the private key, the system will present the “Recovery Question” to the user, and if the user can provide the correct “Recovery Answer”, an encrypted “Recovery Package” will be sent to the user to allow the user to recover the private key. During the entire signing up and recovery processes, neither the user's private key nor the “Recovery Answer” needs to be exposed to the central server. The central server only gets an encrypted copy of the private key and a modified hash of the “Recovery Answer.” The problem of both of these approaches is that the question and the answer must be related to some facts the user is unlikely to forget. However, such facts are often not a secret known only to the user. In addition, the number of possible answers is usually small, thus allowing brute force attacks (trying every possible answer).
John Banes et al. (U.S. Publication No. 20030182584) discloses a system that uses a “recovery disk” for password resetting/recovery purpose. In such a system, a pair of public and private keys is generated, the private key is stored in a removable device, and the public key is used to encrypt the password. When the user forgets the password, the removable device can be used to get the private key and then the private key can be used to decrypt the password previously encrypted by the public key. The problem with this system is that the user has to keep the recovery disk in a safe place. If the recovery disk is lost, the user will no longer be able to recover or reset the password and another person who gets the recovery disk may be able to obtain the user's password. Further, some recovery disks have a password for access to the private key. This disk access password may also be forgotten by the user.
In some tightly controlled systems, the administrator may require the user to appear in person before the password can be reset. Some systems may require only a telephone call and the operator will ask a few personal questions to authenticate the user before the password can be reset. In some loosely controlled systems, the password can be reset with a plaintext email sent to the user to confirm that the user can receive the message at a specific email address. Some systems even allow the password to be reset arbitrarily but will send an email to alert the user that the password has been reset.
The choice of the password resetting procedure is usually determined by the value of the user data protected by the password, user convenience, and the cost of customer support in the event the user forgets the password. Generally, the more secure the password resetting procedure, the less convenient it is for the users, and the higher the cost of the customer support. For example, a password resetting procedure that requires only a plaintext email confirmation demands very little customer support. A password resetting procedure that requires a user to appear in person or verification of user's personal information over the phone will incur considerable cost in customer support. A password resetting procedure that requires the users to select a “recovery phrase” or “fact” will add an extra step at the account setup. And because the user may also forget the “recovery phrase” or “fact” the cost of customer support cannot be avoided.
Many systems offering free services on the Internet use password resetting procedures of minimal security in order to reduce the cost of customer support to the minimum. This usually results in a very questionable security level.
One such example is a typical web based secure email service. Such a service allows a user to pick up a secure message from a message center using a browser over an SSL connection by entering a password. In order to reduce the cost of customer support, an extremely loose password resetting procedure is usually chosen. The password can be changed by clicking a “change password” link and responding to a confirmation email message. The problem of such a service is that the password resetting procedure actually allows anyone who has access to the user's plaintext email messages to reset the password and gain access to messages stored in the message center. Therefore, the security level offered by such a service is equivalent to plaintext email, except that the user will notice that the password has been changed if the user account has been attacked.
Most of the existing systems use a fixed password resetting procedure for everyone, do not give the user a choice for using different password resetting procedures according to the user's security requirements, and do not allow the choice to be altered when the user's security requirements and the likelihood of forgetting the password changes. The problem is that the value of the user data and the likelihood of the user forgetting passwords are not equal for different users and can change over time even for the same user. Take the example of a web-based secure email system with automatic message expiration. Some users of the system seldom receive secure messages, so often the messages have expired and have been purged. There is very little value in the user account. This type of user is also more likely to forget their passwords. On the other hand, there may be users who use the secure email system routinely and have many messages stored there. These users are very unlikely to forget their passwords. When a user first signs up for a secure email account, he/she probably just wants to give it a try to determine whether it is useful to them. At this time, the value of the account is usually low and the user is very likely to forget the password. However, as the user starts to use the account seriously and frequently, the value of the user data in the account will increase and the likelihood of the user forgetting the password will decrease.
Another example is an online stock trading or online banking account. A user with an account balance of $10,000,000 might require a more secure password resetting method than a user with $8,000 in the online account. In addition to the value, there is also a difference in the likelihood for different users to forget the password. A stock trader who trades frequently online is very unlikely to forget the password of his/her online trading account.
It is clear that a fixed password resetting procedure does not offer an optimized choice of a password resetting method to balance security requirements, user convenience, and the cost of customer support. There is a need for a system and method that can optimize the choice of password resetting procedure to maximize the security while minimizing the customer support and user inconveniences.